From 417116f23432073162ebfcb286a7800846482eed Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 3 Jun 2014 23:41:44 +0200 Subject: core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data. --- man/systemd.exec.xml | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) (limited to 'man/systemd.exec.xml') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3f27d13c38..3664303491 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -764,7 +764,7 @@ capability sets as documented in cap_from_text3. Note that these capability sets are - usually influenced by the capabilities + usually influenced (and filtered) by the capabilities attached to the executed file. Due to that CapabilityBoundingSet= @@ -934,6 +934,63 @@ accessible). + + ReadOnlySystem= + + Takes a boolean + argument. If true, mounts the + /usr and + /boot directories + read-only for processes invoked by + this unit. This setting ensures that + any modification of the vendor + supplied operating system is + prohibited for the service. It is + recommended to enable this setting for + all long-running services, unless they + are involved with system updates or + need to modify the operating system in + other ways. Note however, that + processes retaining the CAP_SYS_ADMIN + capability can undo the effect of this + setting. This setting is hence + particularly useful for daemons which + have this capability removed, for + example with + CapabilityBoundingSet=. Defaults + to off. + + + + ProtectedHome= + + Takes a boolean + argument or + read-only. If true, + the directories + /home and + /run/user are + made inaccessible and empty for + processes invoked by this unit. If set + to read-only the + two directores are made read-only + instead. It is recommended to enable + this setting for all long-running + services (in particular network-facing + one), to ensure they cannot get access + to private user data, unless the + services actually require access to + the user's private data. Note however, + that processes retaining the + CAP_SYS_ADMIN capability can undo the + effect of this setting. This setting + is hence particularly useful for + daemons which have this capability + removed, for example with + CapabilityBoundingSet=. Defaults + to off. + + MountFlags= @@ -968,6 +1025,8 @@ namespace related options (PrivateTmp=, PrivateDevices=, + ReadOnlySystem=, + ProtectedHome=, ReadOnlyDirectories=, InaccessibleDirectories= and -- cgit v1.2.3-54-g00ecf